To obtain an access token, a client interacts with an OAuth authorization server (AS), sending a request for an access token that includes an access grant. An access grant is also used when a resource server (RS) requests validation of an access token from the AS.
Primary grant types
OAuth defines several different access grant types. Each grant type reflects different authorization mechanisms.
- Authorization code
- An authorization code is returned to the client through a browser redirect after the resource owner (RO) gives consent to the AS. The client subsequently exchanges the authorization code for an access token and often a refresh token. RO credentials are never exposed to the client.
- Resource owner password credentials
- The client collects the RO's password and exchanges it at the AS for an access token and often a refresh token. This grant type is suitable in cases where the RO has a trust relationship with the client, such as its computer operation system or a highly-privileged application because the client must discard the password after using it to obtain the access token.
- Refresh token
- A refresh token often returns with an access token. Once the original access token expires, the corresponding refresh token is sent to the AS to obtain a fresh access token and fresh refresh token without requiring the RO to re-authenticate. This allows short-lived access tokens to exist between the client and the resource server and long-lived tokens between the client and the AS.
- The refresh token grant type only works in conjunction with either the authorization code or RO password credentials grant type.
When an attempt to replay an invalid refresh token is noticed, PingFederate revokes the entire chain of refresh and access tokens, forcing a re-authentication, subject to sessions and persistent grant settings.
- Client credentials
- The client presents its own credentials to the AS to obtain an access token. This access token is either associated with the client's own resources, and not a particular RO, or with a RO for whom the client is otherwise authorized to act.
Extension grant types
OAuth provides an extension mechanism for defining new extension grant types to support additional clients or to provide a bridge between OAuth and other trust frameworks. An OAuth client uses an extension grant type by specifying an absolute URI as the value of the grant_type parameter and by adding any additional parameters necessary when contacting the token endpoint at /as/token.oauth2.
PingFederate supports the following extension grant types:
- Assertion grants
- JWT Bearer
- The client obtains a JSON web token (JWT) and uses it to request an access token from the AS. This grant type allows a client to use an existing trust relationship, expressed through a JWT, without a direct user approval step at the AS.
- SAML 2.0 Bearer
- The client obtains a SAML 2.0 Bearer assertion and uses it to request
an access token from the AS. Similar to the JWT Bearer grant type,
this grant type allows a client to use an existing trust relationship,
expressed through a SAML assertion, without a direct user approval
step at the AS.Note:
The SAML assertion used for this grant type generally cannot be a browser-based SSO assertion. To ensure its validity, the assertion must be associated with WS-Trust security token service (STS) processing.
- Client-initiated backchannel authentication (CIBA) grant
- The client presents an identity hint to the AS. The AS identifies the RO based on the hint provided and then authenticates and obtains authorization from the RO through an out-of-band flow. Depending on the setup, the client either polls the AS for the authorization result or wait for a signal from the AS to return to the AS for the authorization result. If the RO approves the authentication request, the AS returns an access token to the client. Otherwise, the AS returns an error message per the specification.
- Device authorization grant
- The client presents a device code and user code to the AS to identify the device-authorization session and obtain an access token. This access token is associated with a RO for whom the client is otherwise authorized to act.
- token exchange grant
- The client presents a security token to the AS. In exchange, the AS returns another kind of security token to the client. The new token might be an access token that is more narrowly scoped for a downstream service or it could be an entirely different kind of token. This grant type supports subject and actor tokens employing impersonation and delegation.
- Validation grant
- This proprietary PingFederate OAuth extension enables an RS to act as a client in the request/response exchange with PingFederate as the AS in this scenario. The grant type allows an RS to check with PingFederate on the validity of a bearer access token received from a client making a protected-resources call.